OpenID - A Security Story

The other day Eugene Tsyrklevich has pinged me about his talk on OpenID security in regards to my article on Identity2.0 security issues that we face today. Eugene has presented an co-authored his research with Vlad Tsyrklevich at this year's BlackHat US. You can get the slides from over here and read the whitepaper from over there.

To summarize, the following issues are present with the current implementation of OpenID:

Other then that, OpenID is a great idea. It works and it scales quite well. However, make sure that you are protected against the above mentioned attacks. I would suggest for browser vendors to include builtin security features such as HTTPS should be enforced by default, CSRF against the identity provider domain should not be possible, etc. This can be accomplished with quite simple plugin for Firefox. Any takers?